Overview

overview

10

Static

static

3

a.exe

windows10-1703-x64

10

Resubmissions

13-06-2023 15:08

230613-sh5ehagg67 10

12-06-2023 12:37

230612-ptx8sacc46 10

09-06-2023 19:42

230609-yevzjsea3z 10

08-06-2023 16:59

230608-vhg1bahg5z 10

07-06-2023 18:26

230607-w3ealaec62 10

07-06-2023 18:23

230607-w1vjsseg31 10

06-06-2023 14:12

230606-rjb9nsea66 10

05-06-2023 13:48

230605-q395dagh57 10

02-06-2023 11:55

230602-n3t22sbe8z 10

30-05-2023 13:02

230530-p98pfsaa3x 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a.bin

  • Size

    5KB

  • Sample

    230609-yevzjsea3z

  • MD5

    8ce1f6882edc51f701bbe648e40dd133

  • SHA1

    496b3df4657e9d11df14a8ad267061d97249b511

  • SHA256

    188e97ba18d7394cb3949e66c8aeb062e3ea8675371d0ee2b5126b52366530ae

  • SHA512

    5826ea307fa12db5a8005fae8758314c0810e956ead3504fda7cadaccdbe737d609dfdfdc51996ab2eb350eae20398f8fbb97b16aa01f2af373c1ba20767d7d6

  • SSDEEP

    48:6jtGAK8lb9ivcfaFSfkQLJhyPFlL8thCb/IExQpwOulavTqXSfbNtm:OI0iUaakQqDgtmQpmsvNzNt

Score
10/10
cobaltstrikeredlinesectopratsmokeloaderstealcvidar01000001223a64ca0c195d3c6bc2a04ada079183388duhatdszxc1backdoorevasioninfostealerratstealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://transparenciacanaa.com.br/cidadejunina/js/vendor/debug2.ps1

Extracted

Family

cobaltstrike

C2

http://43.153.222.28:4646/c9uL

Attributes
  • user_agent

    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; yie9)

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://43.153.222.28:4646/push

Attributes
  • access_type

    512

  • host

    43.153.222.28,/push

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    60000

  • port_number

    4646

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCPwjCZRkIjRN92nugrS5l0384q/BWQnN0JKM8QSNJru7gg5JibPdKhwgWse4/vRHpd9eu0wpSN1kxhMXC0GOhRg/TRyv5q41zzWurCIOHq13S55c+J/27HYD/DBLtL+5BWbXx9lhM38OGBxcVec4FxCLotANPMB+vOv/rVa32tYQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)

  • watermark

    100000

Extracted

Family

cobaltstrike

Botnet

0

Attributes
  • watermark

    0

Extracted

Family

redline

Botnet

TDS

C2

51.79.184.226:25676

Attributes
  • auth_value

    e889b0d7bd655b548c29ef635ce69d26

Extracted

Family

vidar

Version

4.2

Botnet

a64ca0c195d3c6bc2a04ada079183388

C2

https://steamcommunity.com/profiles/76561199511129510

https://t.me/rechnungsbetrag
Attributes
  • profile_id_v2

    a64ca0c195d3c6bc2a04ada079183388

  • user_agent

    Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.38 Safari/537.36 Brave/75

Extracted

Family

redline

Botnet

1223

C2

80.85.241.28:36723

Attributes
  • auth_value

    1162933edb12f699eedc4c04dd76667a

Extracted

Family

redline

Botnet

zxc1

C2

194.50.153.103:47128

Attributes
  • auth_value

    842f769e02ef52dcf9aa57e5c8d3d07b

Extracted

Family

smokeloader

Version

2022

C2

http://aapu.at/tmp/

http://poudineh.com/tmp/

http://firsttrusteedrx.ru/tmp/

http://kingpirate.ru/tmp/
rc4.i32
rc4.i32

Extracted

Family

stealc

C2

http://45.15.157.6/9827126d94c3e848.php

Extracted

Family

redline

Botnet

duha

C2

83.97.73.129:19068

Attributes
  • auth_value

    aafe99874c3b8854069470882e00246c

Targets

    • Target

      a.bin

    • Size

      5KB

    • MD5

      8ce1f6882edc51f701bbe648e40dd133

    • SHA1

      496b3df4657e9d11df14a8ad267061d97249b511

    • SHA256

      188e97ba18d7394cb3949e66c8aeb062e3ea8675371d0ee2b5126b52366530ae

    • SHA512

      5826ea307fa12db5a8005fae8758314c0810e956ead3504fda7cadaccdbe737d609dfdfdc51996ab2eb350eae20398f8fbb97b16aa01f2af373c1ba20767d7d6

    • SSDEEP

      48:6jtGAK8lb9ivcfaFSfkQLJhyPFlL8thCb/IExQpwOulavTqXSfbNtm:OI0iUaakQqDgtmQpmsvNzNt

    Score
    10/10
    cobaltstrikeredlinesectopratsmokeloaderstealcvidar01000001223a64ca0c195d3c6bc2a04ada079183388duhatdszxc1backdoorevasioninfostealerratstealertrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Detects Stealc stealer

      stealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Downloads MZ/PE file

    • Stops running service(s)

      evasion

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Command-Line Interface

1
T1059

Persistence

Modify Existing Service

1
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Impair Defenses

1
T1562

Scripting

1
T1064

Credential Access

Discovery

System Information Discovery

2
T1082

Process Discovery

1
T1057

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Service Stop

1
T1489

Tasks